Employers that sponsor group health plans must understand their responsibilities under the Health Insurance Portability and Accountability Act (HIPAA), especially regarding the notice of privacy practices. If your organization offers a fully insured plan and does not receive or maintain protected health information (PHI) beyond enrollment or summary data, many HIPAA privacy requirements — including issuing the notice — may not apply to you. In those cases, the insurance carrier is responsible for distributing the notice to plan participants. However, it’s still important for employers to be aware of these rules and work closely with insurers to ensure privacy practices are understood and upheld.
On the other hand, self-insured plans or plans where the employer maintains PHI beyond basic enrollment data must provide a HIPAA-compliant notice of privacy practices to plan participants. This notice outlines how PHI may be used, individuals’ rights under HIPAA, and how to file a complaint. It must be given at enrollment, within 60 days of any material change, and upon request. At least once every three years, participants must be reminded that the notice is available and how to obtain it. Employers can distribute the notice via mail, via email (with consent), include it with open enrollment or summary plan description (SPD) materials, and must post it on any benefits-related website they maintain.
Remaining compliant with HIPAA’s notice requirements protects both employees’ privacy and your organization from regulatory risk. If you need help understanding whether your plan qualifies as fully insured or self-funded, or how to properly issue notices, our team at aHRrow is here to assist.